Unusual file permissions on WordPress websites

I’ve been asked by a customer of mine, to manage a few hundred WordPress sites.

Doing an initial security assessment, I’ve found that every site (350 sites) has unusual file permissions on every php file (755) that means executable bit on all groups (user, group and other)… Trying to investigate further, I’ve checked umask settings and it seems ok: 0002 (that means 775 for newly created directories and 664 for files) which is the default on Linux systems.

Asking my customer about this unusual permissions, he confirmed that he wasn’t aware of this issue…

Which could be the security implications of such a setting? Can this be exploited somehow by a remote user?

Thanks for any help!